ACL for ASA

Chin Chang — Fri, 21 Feb 2020 17:50:13 GMT

Dears,
My trouble is ACL that any4 or specified host. My topology:

And configuration of devices:
[Internet]v15.2
interface GigabitEthernet1/0
ip address 209.165.1.1 255.255.255.0
no shutdown
===============================
[ciscoasa]v9.6
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 209.165.1.2 255.255.255.0
no shutdown
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.0.0.1 255.0.0.0
no shutdown
!
object network LAN
subnet 10.0.0.0 255.0.0.0
nat (inside,outside) dynamic interface
object network WEB
host 10.0.0.2
nat (inside,outside) static interface service tcp 80 80
!
access-list asa extended permit icmp any4 host 209.165.1.2
access-list asa extended permit icmp any4 interface outside
access-list asa extended permit icmp any4 interface outside echo
access-list asa extended permit icmp any4 interface outside echo-reply
access-list asa extended permit tcp any4 host 209.165.1.2
access-list asa extended permit tcp any4 interface outside eq 80
access-group asa in interface outside
!
route outside 0.0.0.0 0.0.0.0 209.165.1.1
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
===============================
[WEB]v15.2
interface GigabitEthernet1/0
ip address 10.0.0.2 255.0.0.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.0.1
ip http server
===============================

In these configuration, Web cann't ping Internet(209.165.1.1) but ICMP echo-request has reachable and echo-reply has unreachable.
And Internet can not access web. Please refer...
WEB#ping 209.165.1.1 repeat 3
Type escape sequence to abort.
Sending 3, 100-byte ICMP Echos to 209.165.1.1, timeout is 2 seconds:
...
Success rate is 0 percent (0/3)
WEB#

Internet#
*Jan 16 15:05:35.051: ICMP: echo reply sent, src 209.165.1.1, dst 209.165.1.2, topology BASE, dscp 0 topoid 0
Internet#
*Jan 16 15:05:37.051: ICMP: echo reply sent, src 209.165.1.1, dst 209.165.1.2, topology BASE, dscp 0 topoid 0
Internet#
*Jan 16 15:05:39.043: ICMP: echo reply sent, src 209.165.1.1, dst 209.165.1.2, topology BASE, dscp 0 topoid 0
Internet#

However, I modified ACL:
access-list asa extended permit icmp any4 any4
access-list asa extended permit tcp any4 any4
access-group asa in interface outside

WEB#ping 209.165.1.1 repeat 3
Type escape sequence to abort.
Sending 3, 100-byte ICMP Echos to 209.165.1.1, timeout is 2 seconds:
!!!
Success rate is 100 percent (3/3), round-trip min/avg/max = 16/20/24 ms
WEB#

Internet#
*Jan 16 15:09:30.115: ICMP: echo reply sent, src 209.165.1.1, dst 209.165.1.2, topology BASE, dscp 0 topoid 0
*Jan 16 15:09:30.135: ICMP: echo reply sent, src 209.165.1.1, dst 209.165.1.2, topology BASE, dscp 0 topoid 0
*Jan 16 15:09:30.159: ICMP: echo reply sent, src 209.165.1.1, dst 209.165.1.2, topology BASE, dscp 0 topoid 0
Internet#
Internet#telnet 209.165.1.2 80
Trying 209.165.1.2, 80 ... Open
get
HTTP/1.1 400 Bad Request
Date: Thu, 16 Jan 2020 15:10:00 GMT
Server: cisco-IOS
Accept-Ranges: none

400 Bad Request
[Connection to 209.165.1.2 closed by foreign host]
Internet#

It resolved! But why? For Internet, destination IP address that echo-reply and web are not 209.165.1.2? impossible?

Regards

Re: ACL for ASA

Rob Ingram — Thu, 16 Jan 2020 19:40:49 GMT

Hi,
It's probably because you've specified the destination as "interface outside", when configuring an ACL you always need to specify the real IP address, in this instance it would be 10.0.0.x - hence why "any4" works.

HTH

Re: ACL for ASA

Chin Chang — Fri, 17 Jan 2020 04:33:03 GMT

I have test and understand. External packets to internal over ASA, they first NAT and then ACL.
Thank you!

topic ACL for ASA in Network Security

ACL for ASA

Re: ACL for ASA

Re: ACL for ASA